[gnutls-devel] GnuTLS | boringssl early data is rejected by gnutls server because of the client ticket age > the server ticket age (#1403)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Thu Sep 22 16:25:14 CEST 2022




Zoltán Fridrich commented:


@tatsuhiro-t Hello and thank you for the report.
After looking into the code of both boringssl and gnutls I believe that there is no problem on the gnutls side. The higher mentioned check seems very reasonable to me. On the other hand, it seems to me that the fix should be done on the side of boringssl as it calculates inaccurate ticket_age. From what I have seen boringssl works with seconds and then just multiplies the result by 1000 to fill the ticket_age. I guess if we would change the check to
`if (unlikely(server_ticket_age / 1000 < client_ticket_age / 1000))` it would solve the issue, but I dont know if it is a reasonable change.

@dueno what do you think of this?

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1403#note_1110803944
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20220922/c873460f/attachment.html>


More information about the Gnutls-devel mailing list